About the author

Lee Hinman writes S-expressions for Sonian all day. Feel free to email me at lee [at] writequit [dot] org. If you do contact me, I highly recommend that you use some sort of encryption.
I enjoy doing software development, security research and writing tools and libraries (mostly in Clojure or Ruby).

I use keyboard shortcuts. A lot. So much in fact, that I find it incredibly annoying when websites create their own keyboard shortcuts for their pages. Most wiki-type pages (Wikipedia, Trac, Twiki) all use keyboard shortcuts on their sites.

I am a firm believer that application-level keybindings should always take precedence over website keybindings, no matter what. Not only is this in line with the conceptual view of how the two interact, but it’s better for security reasons, take, for example, the keyboard shortcuts to access the preferences for almost all applications on OSX: Apple+, (or CMD)

Why stop with usability features like focusing the find box? Why not overwrite the keyboard shortcut for accessing the preferences for a browser, trick the website user into clicking on something he or she should not be clicking on. (Note that it requires javascript. Firefox’s popup blocker will catch it, but Safari’s does not, it also looks more realistic in Safari).

Use CMD+, to open the preferences for either safari or firefox, I used firefox for this example, but I could just have easily used safari. I mocked this up in about 5 minutes, I could easily have opened a page instead of just an image also.

Did you see the fake preferences window? Now tell me how many people (non-technical users) would immediately know that this window was not the real preferences window for Firefox? What if the website had a “How-to” guide for setting a Firefox preference, and encouraged the user to “Press CMD+, to open the preferences, then click on <blah> and type <blah>”. If the website showed a picture of a false preferences panel and said “It’s perfectly normal for firefox preferences to ask for your password, enter it into the box on the ‘Security’ tab”, how many users might be tricked into doing that? You could write a guide for setting a preference that was actually a phishing site.

Comeon browser devs, don’t let javascript steal ALL the shortcuts, at least don’t pass browser-specific shortcuts to the site BEFORE handling them. (Or make it an option you have to turn on?)

Thoughts? What do you think, should websites have the ability to capture keystrokes? Should browser developers pass things through? What about a site-(white|black)list for keyboard shortcuts?